Create and manage virtual network (VNet) service endpoints and virtual network (VNet) rules in Azure Database for PostgreSQL - Single Server with the Azure portal
APPLIES TO: Azure Database for PostgreSQL - Single Server
Important
Azure Database for PostgreSQL - Single Server is on the retirement path. We strongly recommend that you upgrade to Azure Database for PostgreSQL - Flexible Server. For more information about migrating to Azure Database for PostgreSQL - Flexible Server, see What's happening to Azure Database for PostgreSQL Single Server?.
Virtual Network (VNet) services endpoints and rules extend the private address space of a Virtual Network to your Azure Database for PostgreSQL server. For an overview of Azure Database for PostgreSQL virtual network service endpoints, including limitations, see Azure Database for PostgreSQL Server virtual network service endpoints. Virtual network service endpoints are available in all supported regions for Azure Database for PostgreSQL.
Create a virtual network rule and enable service endpoints in the Azure portal
On the PostgreSQL server page, under the Settings heading, select Connection Security to open the Connection Security pane for Azure Database for PostgreSQL.
Ensure that the Allowed access to Azure services control is set to OFF.
Next, select + Adding existing virtual network. If you don't have an existing virtual network, you can select + Create new virtual network to create one. See Quickstart: Create a virtual network using the Azure portal.
Enter a virtual network rule name, select the subscription, Virtual network, and Subnet name and then select Enable. This automatically enables virtual network service endpoints on the subnet using the Microsoft.SQL service tag.
The account must have the necessary permissions to create a virtual network and service endpoint.
Service endpoints can be configured on virtual networks independently, by a user with write access to the virtual network.
To secure Azure service resources to a virtual network, the user must have permission to "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/" for the subnets being added. This permission is included in the built-in service administrator roles, by default and can be modified by creating custom roles.
Learn more about built-in roles and assigning specific permissions to custom roles.
VNets and Azure service resources can be in the same or different subscriptions. If the virtual network and Azure service resources are in different subscriptions, the resources should be under the same Active Directory (AD) tenant. Ensure that both the subscriptions have the Microsoft.Sql resource provider registered.
Once enabled, select OK and you'll see that virtual network service endpoints are enabled along with a virtual network rule.